Session end reason: decrypt-cert-validation
120111
Created On 03/22/19 05:56 AM - Last Modified 04/01/19 09:11 AM
Symptom
- SSL breaks when firewall is configured as "SSL Forward Proxy" and is decrypting traffic. Without decryption, SSL connection between the client and server is successful.
- Session end reason is "decrypt-cert-validation"
- Firewall sends "Alert (Level: Fatal, Description: Handshake Failure)" after receiving Server certificate in packet captures, and SSL access fails.
- Dataplane debugs show the following when parsing server certificate "log features enabled: flow basic, ssl basic, proxy basic" [ How to take debugs?]
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_process_handshake_msg(pan_ssl3.c:1087): receive handshake 2 ServerHello length 77 st 0x8000000024db6740 client
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_client_process_handshake(pan_ssl_client.c:1231): st 0x8000000024db6740 write_state 0 type=2
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_client_get_server_hello(pan_ssl_client.c:271): CLIENT CHOOSE VER=5 version(129 226)
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_client_get_server_hello(pan_ssl_client.c:278): server version 5, profile bitmask setting version 112
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_client_get_server_hello(pan_ssl_client.c:330): server issued new session ID 32
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_client_get_server_hello(pan_ssl_client.c:383): CLIENT CHOOSE CIPHER=0x9d
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_client_parse_server_hello_extensions(pan_ssl_client.c:181): extension 0xff01, length 1
2019-03-21 17:43:59.079 +0800 debug: pan_ssl_prf_select(pan_ssl_hs.c:616): --SELECT-PRF--ver=5 algo=1
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_client_get_server_hello(pan_ssl_client.c:463): client session, -2-server hello- 0x8000000024db6740 version 5, =not resumed, cipher=157
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_client_process_handshake(pan_ssl_client.c:1259): st 0x8000000024db6740 expect certificate
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_process_handshake_msg(pan_ssl3.c:1157): read state change to 2
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_process_handshake_msg(pan_ssl3.c:1198): UPDATE hs_type=2 ServerHello side=client size=81
2019-03-21 17:43:59.079 +0800 debug: pan_proxy_ssl_handshake_cb(pan_proxy_ssl.c:929): respond to server handshake 2 done
2019-03-21 17:43:59.079 +0800 debug: pan_ssl_proxy_parse_record(pan_ssl_proxy.c:339): received record 22 length 933
2019-03-21 17:43:59.079 +0800 debug: pan_ssl_proxy_parse_record(pan_ssl_proxy.c:384): decoded record length 933
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_process_handshake_msg(pan_ssl3.c:1087): receive handshake 11 Certificate length 929 st 0x8000000024db6740 client
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_client_process_handshake(pan_ssl_client.c:1231): st 0x8000000024db6740 write_state 0 type=11
2019-03-21 17:43:59.080 +0800 debug: pan_x509_parse_tbs_certificate(pan_x509.c:1917): invalid version 3 failed
2019-03-21 17:43:59.080 +0800 debug: pan_x509_parse_cert(pan_x509.c:2251): pan_asn1_tbs_certificate() failed
2019-03-21 17:43:59.080 +0800 debug: pan_x509_parse_certs_chain(pan_x509.c:2425): pan_x509_parse_cert() failed; error
2019-03-21 17:43:59.080 +0800 debug: pan_x509_parse_and_validate_chain(pan_x509.c:3938): pan_x509_parse_certs_chain() failed
2019-03-21 17:43:59.080 +0800 Error: pan_ssl_get_cert_cache_from_cert(pan_ssl.c:1732): pan_x509_parse_and_validate_cert() failed
2019-03-21 17:43:59.080 +0800 Error: pan_ssl3_client_get_server_cert(pan_ssl_client.c:540): pan_ssl_get_cert_cache_from_cert() failed -3
2019-03-21 17:43:59.080 +0800 Error: pan_ssl3_client_process_handshake(pan_ssl_client.c:1272): pan_ssl3_client_get_server_cert() failed
2019-03-21 17:43:59.080 +0800 Error: pan_ssl_proxy_handle_rt_hs(pan_ssl_proxy.c:242): pan_ssl3_process_handshake_msg() failed -3
2019-03-21 17:43:59.080 +0800 Error: pan_ssl_proxy_parse_data(pan_ssl_proxy.c:609): pan_ssl_parse_record() failed
140.124.3.65[46334]-->140.92.88.43[25]
2019-03-21 17:43:59.080 +0800 pan_proxy_handle_error(pan_proxy.c:2078): handle error -3
2019-03-21 17:43:59.080 +0800 debug: pan_proxy_ssl_check_block_error(pan_proxy.c:1793): invalid cert
2019-03-21 17:43:59.080 +0800 Error: pan_proxy_ssl_check_block_error(pan_proxy.c:2059): In session(1583), encounters error_id(-3 PAN_SSL_ERROR_INVALID_CERT), action: block
2019-03-21 17:43:59.080 +0800 debug: pan_proxy_ssl_proc_data(pan_proxy_ssl.c:1039): pan_ssl_proxy_parse_data() failed -3, block
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_client_process_handshake(pan_ssl_client.c:1231): st 0x8000000024db6740 write_state 0 type=2
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_client_get_server_hello(pan_ssl_client.c:271): CLIENT CHOOSE VER=5 version(129 226)
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_client_get_server_hello(pan_ssl_client.c:278): server version 5, profile bitmask setting version 112
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_client_get_server_hello(pan_ssl_client.c:330): server issued new session ID 32
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_client_get_server_hello(pan_ssl_client.c:383): CLIENT CHOOSE CIPHER=0x9d
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_client_parse_server_hello_extensions(pan_ssl_client.c:181): extension 0xff01, length 1
2019-03-21 17:43:59.079 +0800 debug: pan_ssl_prf_select(pan_ssl_hs.c:616): --SELECT-PRF--ver=5 algo=1
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_client_get_server_hello(pan_ssl_client.c:463): client session, -2-server hello- 0x8000000024db6740 version 5, =not resumed, cipher=157
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_client_process_handshake(pan_ssl_client.c:1259): st 0x8000000024db6740 expect certificate
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_process_handshake_msg(pan_ssl3.c:1157): read state change to 2
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_process_handshake_msg(pan_ssl3.c:1198): UPDATE hs_type=2 ServerHello side=client size=81
2019-03-21 17:43:59.079 +0800 debug: pan_proxy_ssl_handshake_cb(pan_proxy_ssl.c:929): respond to server handshake 2 done
2019-03-21 17:43:59.079 +0800 debug: pan_ssl_proxy_parse_record(pan_ssl_proxy.c:339): received record 22 length 933
2019-03-21 17:43:59.079 +0800 debug: pan_ssl_proxy_parse_record(pan_ssl_proxy.c:384): decoded record length 933
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_process_handshake_msg(pan_ssl3.c:1087): receive handshake 11 Certificate length 929 st 0x8000000024db6740 client
2019-03-21 17:43:59.079 +0800 debug: pan_ssl3_client_process_handshake(pan_ssl_client.c:1231): st 0x8000000024db6740 write_state 0 type=11
2019-03-21 17:43:59.080 +0800 debug: pan_x509_parse_tbs_certificate(pan_x509.c:1917): invalid version 3 failed
2019-03-21 17:43:59.080 +0800 debug: pan_x509_parse_cert(pan_x509.c:2251): pan_asn1_tbs_certificate() failed
2019-03-21 17:43:59.080 +0800 debug: pan_x509_parse_certs_chain(pan_x509.c:2425): pan_x509_parse_cert() failed; error
2019-03-21 17:43:59.080 +0800 debug: pan_x509_parse_and_validate_chain(pan_x509.c:3938): pan_x509_parse_certs_chain() failed
2019-03-21 17:43:59.080 +0800 Error: pan_ssl_get_cert_cache_from_cert(pan_ssl.c:1732): pan_x509_parse_and_validate_cert() failed
2019-03-21 17:43:59.080 +0800 Error: pan_ssl3_client_get_server_cert(pan_ssl_client.c:540): pan_ssl_get_cert_cache_from_cert() failed -3
2019-03-21 17:43:59.080 +0800 Error: pan_ssl3_client_process_handshake(pan_ssl_client.c:1272): pan_ssl3_client_get_server_cert() failed
2019-03-21 17:43:59.080 +0800 Error: pan_ssl_proxy_handle_rt_hs(pan_ssl_proxy.c:242): pan_ssl3_process_handshake_msg() failed -3
2019-03-21 17:43:59.080 +0800 Error: pan_ssl_proxy_parse_data(pan_ssl_proxy.c:609): pan_ssl_parse_record() failed
140.124.3.65[46334]-->140.92.88.43[25]
2019-03-21 17:43:59.080 +0800 pan_proxy_handle_error(pan_proxy.c:2078): handle error -3
2019-03-21 17:43:59.080 +0800 debug: pan_proxy_ssl_check_block_error(pan_proxy.c:1793): invalid cert
2019-03-21 17:43:59.080 +0800 Error: pan_proxy_ssl_check_block_error(pan_proxy.c:2059): In session(1583), encounters error_id(-3 PAN_SSL_ERROR_INVALID_CERT), action: block
2019-03-21 17:43:59.080 +0800 debug: pan_proxy_ssl_proc_data(pan_proxy_ssl.c:1039): pan_ssl_proxy_parse_data() failed -3, block
Environment
- Firewall
- PAN-OS
- SSL Forward Proxy
Cause
- The structure of Server certificate is not in accordance with X.509 certificate's ASN.1 (Abstract Syntax Notation One).
- Palo Alto firewall checks whether a certificate is valid X.509 v1, v2 or a v3 certificate.
- This check happens irrespective of the configuration in Decryption profile, and cannot be bypassed:
Resolution
- Provision Server certificate that is in accordance with X.509 certificate's ASN.1.
- X.509 v3 (version 3) is most common; while v1 and v2 are considered legacy. Palo Alto firewall checks either one of them.
- Common reasons for invalidating a server certificate:
- Certificate presented is self signed and it is not marked as a CA certificate.
- No key usage field in the certificate.
- No Basic Constraints field in the certificate.
These fields are required to identify whether this is a Root CA or Server Certificate.
Additional Information
References and more information on valid structure of X.509 certificate:
> https://tools.ietf.org/html/rfc5280
> https://en.wikipedia.org/wiki/X.509#Structure_of_a_certificate